On Thu, Jan 03, 2002 at 09:17:53AM -0500, Joseph Kezar wrote:
> I'll tell you what I did now.
> Let me know if this is the correct way of finding the envelope-sender.:
It is one correct way, yes. Of course it assumes the logs are readable.
The return_path should be the sender address too, but may also be <> for
a bounce.
> cat /var/log/exim_mainlog | grep 16M8YJ-0006ut-00(messageid from a SPAM
> email)
> proves:
> 2002-01-03 09:09:05 16M8YJ-0006ut-00 <= opt-in@???
> H=(mx2.state.vt.us) [170.222.64.130] P=esmtp S=6091
> id=20020103135240.24285.qmail@???
>
> I am strongly guessing 'opt-in@???' is the
> envelope-sender.
In this case, yes. This line says that "Today, at 09:09:05, a message,
given queueid 16M8YJ-0006ut-00 was injected into the mail system by
'opt-in@???', over esmtp from a host which said
HELO as 'mx2.state.vt.us' but had no reverse lookup, and had an IP
address of 170.222.64.130. It was 6091 octets long, and had a Message-ID
header of '20020103135240.24285.qmail@???'."
> And this is the sender that needs to be added to my /usr/exim/rejectlist
> Am I correct?
Yes, although you may not see it again...
At this point, I'll plug
http://colondot.net/mbm/mailfilter.shtml, which
has stuff on auto-blacklisting for bait addresses.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
